CVE-2024-36931

HIGH

Linux Kernel 5.13-5.15.158, 5.16-6.1.90, 6.2-6.6.30, 6.7-6.8.9 - Out-of-bounds Read in s390/cio Buffer Handling

Title source: llm

Description

In the Linux kernel, the following vulnerability has been resolved: s390/cio: Ensure the copied buf is NUL terminated Currently, we allocate a lbuf-sized kernel buffer and copy lbuf from userspace to that buffer. Later, we use scanf on this buffer but we don't ensure that the string is terminated inside the buffer, this can lead to OOB read when using scanf. Fix this issue by using memdup_user_nul instead.

References (5)

Core 5

Core References

Patch

https://git.kernel.org/stable/c/c9d48ce163305595ae20aee27774192476d5e6a5

Patch

https://git.kernel.org/stable/c/10452edd175fcc4fd0f5ac782ed2a002e3e5d65c

Patch

https://git.kernel.org/stable/c/84b38f48836662c4bfae646c014f4e981e16a2b2

Patch

https://git.kernel.org/stable/c/06759ebaf75c19c87b2453a5e130e9e61e9b5d65

Patch

https://git.kernel.org/stable/c/da7c622cddd4fe36be69ca61e8c42e43cde94784

Scores

CVSS v3 7.1

EPSS 0.0023

EPSS Percentile 14.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-125

Status published

Products (18)

linux/Kernel 5.13.0 - 5.15.159linux

linux/Kernel 5.16.0 - 6.1.91linux

linux/Kernel 6.2.0 - 6.6.31linux

linux/Kernel 6.7.0 - 6.8.10linux

Linux/Linux < 5.13

Linux/Linux 5.13

Linux/Linux 5.15.159 - 5.15.*

Linux/Linux 6.1.91 - 6.1.*

Linux/Linux 6.6.31 - 6.6.*

Linux/Linux 6.8.10 - 6.8.*

... and 8 more

Published May 30, 2024

Tracked Since Feb 18, 2026